Minimal Fron End Web Appication with Secure External API Consumption - api

Problem requirement
Web application with a text field and a button. After introducing some text and clicking on the button, the web application shall call an API using credentials which should be invisible/inaccessible to the web user or its browser. This external API will take the input text an store it into a DB to which it is connected.
Unfortunately the API I need to call contains username and password inside the URL, so that they are visible to the browser.
API Login URL has this profile
https://apidomain/service/login/{{username}/{{password}}
Question
It is there a way to do this only using front end frameworks (vue, react) or static web sites without having to host a back-end service (to perform this external API call)?
I tried this with vuejs 3 successfully, but API call is browser visible.

you can use auth0 it provides fast solution
As far as I know there is no way to hide data except you need back-end auth0 is fast solution
but you might use hash function
hashed = f(username+password) so the user knows the hashed but he couldn't figure what's the username and password it's one way function

Related

Can I log in a user with email and password from node using the Firebase Admin SDK

With Firebase's Admin SDK, I want to allow a user to login (verify the user with my Firebase instance) without any JavaScript on the front end. Just an old fashioned POST, with the form data in the request body.
Then in node (server side) verify the email and password on the back-end, retrieve a token, update the user's session, pass back a cookie, etc. I've been digging around various examples and the Firebase Admin SDK docs but have not found an answer.
I can do it if I run the non-admin-SDK Firebase module, in node, but this seems like an odd approach to me, especially as I need the Admin SDK for some other things.
I could see why they want to force a "triangle" approach like say payment auths use.
Authorize with Firebase on the front end and pass a token to the back-end.
Not allowing the password to possibly be sent or stored on the node server unencrypted.
But I want to pass as little JS to the client as possible and I want my site (MPA) to be progressive (not need JS). It seems odd they would not address this in their docs. Other than in some explanation of how to write one's own validation or integrate with another.
If anyone can describe how this can be done or what the recommended approach is, I would be very happy.
Firebase's Admin SDKs are designed to be stateless, so don't have a concept of a current user. The recommended approach is what Firebase Authentication does, sign in on the client and pass an ID token with every request/connection to establish the identity of the user.
If you don't want to use Firebase's SDKs in your client-side application, you can call the REST API. I'm not sure if you can construct the right call with a FORM post though.
Also check:
Sign in with Firebase-Admin using node.js, the main answer is the recommend approach.
How to authenticate an user in firebase-admin in nodejs? shows how to sign in a user in Node.js with the regular/non-Admin SDK. This is probably closest to what you want to accomplish.

Browserless Authentication using the Web API

I am trying to authenticate a user inside a desktop application using the web api. I am not using a browser, I am using straight up GET and PUSH calls to the endpoints of the Spotify servers. Immediately I ran into some problems. It appears that upon the initial GET command to "accounts.spotify.com", the returned response includes HTML with a javascript function that runs and is responsible for dynamically generating HTML that you see on the initial login page. If you look at the Javascript function, it is clear that this is what is going on, however, you can also see this code is obfuscated and not meant to be used by us, the developers! (Link to Javascript code here for reference: Javascript function)
So my question is, while I can probably reverse engineer the code to get this working, would this be against the Spotify developer TOS?
Thanks!
Spotify's authentication happens through oauth, and a big part of user authentication as per the oauth rfc is where the user delegates permissions to your app to carry out API calls that affect their account, or return information about them. That's the web page you're seeing - it must be presented to your users so that they can delegate permissions so that Spotify can give your app an access token. It doesn't necessarily need to happen in a browser - it can happen in a web view inside your desktop application - but it does need to be loaded over https, and your application must not alter or reverse engineer the Spotify permissions delegations page.
As you correctly guessed, reverse engineering any Spotify APIs is against terms of service.
For more information on authorization on the Spotify platform, I'd recommend having a look at this guide.
Hope that helps! Please ping me if you have any more questions.
Hugh
Spotify Developer Support

OneDrive Authentication & Shared URL access

Couple of questions:
I implemented the authentication process with OneDrive. My desktop application is designed for end-users. Every time the application is launched the little browser window pops up asking the user to confirm access...and if more than 1 hour passed user needs to provide username and password. Is there any way that end-user with SOME SORT of saved credentials (or user Code +user Secret, or API code + API secret) will be able to invoke the application and not be prompted by browser form (that currently requires login - if access token expired - or confirmation)?
The goal of my application is file sharing - that is, one end user may send URL (to the file that he uploaded to OneDrive) to another user and the latter should be able to download the file by clicking on the link (without any prompts, exactly like in manual process of sharing link to the file in OneDrive). Is it possible? If yes, how to achieve that? That is, how do I get that URL? Redandent to say that I am looking for a programmatic way to obtain a URL that will achieve the above described)
The OneDrive authentication process uses Microsoft account, which supports OAuth 2.0. You should be able to point the user to:
https://login.live.com/oauth20_authorize.srf?client_id=CLIENT_ID&scope=SCOPE&response_type=code&redirect_uri=REDIRECT_URI
Once the user authenticated and authorizes your app, the user will be taken to REDIRECT_URI/?code=CODE, where your app can exchange that code for an access token at:
https://login.live.com/oauth20_token.srf?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&code=CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI.
There are more details at http://onedrive.github.io/auth/msa_oauth.htm.

Google Plus login with Javascript and Authenticating with PHP

While implementing the Facebook Connect to a web application , its possible to show Facebook Sign up page in a pop up and once logging in and Granting permissions are complete, its possible to Authenticate Again in PHP and to get the necessary details of the user, - id, email etc.
I believe, thats secure because, the User Insertion is not based on the Ajax Request Parameters.
Is it possible to do the same with Google Plus Login also ?
Means - Logging in to Google - Using Javascript SDK, asking permissions, Authenticating all done in a Pop Up Window. and then, Creating a new user with the Help of google-api-php-client ??
Yes, what you're trying to do is outlined with https://developers.google.com/+/web/signin/server-side-flow which includes some PHP code samples to help you do this. In general, the steps at authentication time are:
User clicks the "Sign in with Google" button which may pop-up a new window at Google prompting them to log in and authorize your webapp.
After they do so, a one-time code is sent to a JavaScript callback you specify.
Your Javascript method sends this code to your PHP server.
Your PHP server uses the client library to contact Google's server and exchange this one-time code for an access token and refresh token, which you keep and use to perform actions on the user's behalf.

Retrieving Page from HTTPS Website

I am registered user of a website that provides stock quotes values and I want to create a desktop application where in I will display the stock updates of a specific quotes.
For that, I need to parse a web page which is visible only when I login to the website. If I try to access that page, without logging in, it redirects me to the login page.
The Website does not provide any API for developing such a client application. Is there any way I can login to the website using the desktop client and thus access the required web page?
Regards,
TheLameProgrammer
You'll need to first do a HTTP POST to the login page, store the cookies that come back, then pass these along with any furture request you make.
Same as the browser does.
Hopefully this question is in earnest and not spam but the answer is no